by yooakim at 2012-09-10 11:16:52
I am struggling with working with an internal LDAP catalog (non-Microsoft) from research on the net I’ve figured out that the best bet I have is to use the System.DirectoryServices.Protocols namespace.by DonJ at 2012-09-10 15:27:40
That’s all good but I have not been able to get it to work properly, I’ have found many examples using System.Directory.Services but not System.DirectoryServices.Protocols.
Has anyone here come across any good examples using System.DirectoryServices.Protocols?
/joakim
I’ve not. This isn’t an excellent place to ask for help with the raw .NET Framework classes, although we’ll see if anyone jumps in with the answer you need. You might consider posting on StackOverflow.com, which gets a bigger developer-oriented audience, who are more likely to have worked directly with this.by poshoholic at 2012-09-10 18:05:09
I’ll also ping a couple of folks I know who do a lot of AD programming and see if they can’t chime in here. Fingers crossed.
Brandon Shell (another PowerShell MVP) has done some work with System.DirectoryServices.Protocols in the past. I would take a look at this article he published about it: http://bsonposh.com/archives/325.by RichardSiddaway at 2012-09-11 12:22:09
He may also have some examples of that in his BSonPosh module.
I have one example I can shareparam($find=$null)
if ($find -eq $null){Return}
## load the protocols assembly
##Resolve-Assembly -Name System.DirectoryServices.Protocols -Import
$null = [reflection.assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
## find the deleted accounts
$adspath = "LDAP://DC=manticore,DC=org"
$root = [System.DirectoryServices.DirectoryEntry]$adsPath
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(isDeleted=TRUE)(objectclass=user))"
$search.tombstone = $true
$result = $search.Findall()
## use the input parameter
$exguy = $result | where{$_.path -like $find}
## connect to DC
$server = [System.DirectoryServices.Protocols.LdapDirectoryIdentifier]"dc02.manticore.org"
$conn = [System.DirectoryServices.Protocols.Ldapconnection]($server)
$conn.sessionoptions.protocolversion = 3
$conn.credential = [System.Net.CredentialCache]::DefaultNetworkCredentials
$conn.Bind()
## get distinguished names
$olddn = $exguy.properties.distinguishedname[0].ToString()
$newdn = "cn=" + $exguy.properties["cn"][0].ToString().Split("`n")[0] + "," + $exguy.properties["lastknownparent"][0]
## remove the deleted attribute
$dam = New-Object System.DirectoryServices.Protocols.DirectoryAttributeModification
$dam.Name = "isDELETED"
$dam.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Delete
## reset distinguished name
$dam2 = New-Object System.DirectoryServices.Protocols.DirectoryAttributeModification
$dam2.Name = "distinguishedname"
$dam2.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Replace
$dam2.Add($newdn)
## build request
$damset = @($dam, $dam2)
$mr = New-Object System.DirectoryServices.Protocols.ModifyRequest -argumentlist $olddn, $damset
$sdc = New-Object System.DirectoryServices.Protocols.ShowDeletedControl
$mr.Controls.Add($sdc)
## request undelete
$conn.SendRequest($mr)
## Now we recover the user attributes from the snapshot
## with thanks to Guido Grillenmeir for the original code
##
## set DC and snapshot
$ADSnapShot = "dc02.manticore.org:60000"
$ProductionAD = "dc02.manticore.org"
# get directory entry for user in production AD
$adsPath = "LDAP://$ProductionAD/" + $newdn
$user_prod = [ADSI]($adsPath)
# get directory entry for user in AD snapshot
$adsPath = "LDAP://$ADSnapShot/" + $newdn
$user_snap = [ADSI]($adsPath)
# write data to user in production AD
$user_prod.sn = $user_snap.sn
$user_prod.givenName = $user_snap.givenName
$user_prod.SamAccountName = $user_snap.samAccountName
$user_prod.UserPrincipalName = $user_snap.UserPrincipalName
$user_prod.DisplayName = $user_snap.DisplayName
$user_prod.streetAddress = $user_snap.streetAddress
$user_prod.l = $user_snap.l
$user_prod.c = $user_snap.c
$user_prod.CommitChanges()
foreach ($groupDN in $user_snap.memberOf)
{
$group = [ADSI]("LDAP://$ProductionAD/" + $groupDN)
$group.Add("LDAP://"+$newdn)
$group.CommitChanges()
}
## reset password
$user_prod.SetPassword("4rEA11yC0mpl3xPwd")
$user_prod.CommitChanges()
## set user must change password at next logon
$user_prod.pwdLastSet = 0
$user_prod.CommitChanges()
## enable account
## reset account control
$user = [ADSI]("LDAP://$newdn")
$user.useraccountcontrol = 512
$user.commitchanges()